====== Setup an package building environment for Debian/Ubuntu ======
These are personal notes on how I setup package build environments. When done, I intend to writeup a blog post about it.
===== Install a Debian or Ubuntu Machine =====
This step may be a bare-metal, or virtual machine, such as bare [[Linux/KVM|http://www.linux-kvm.org/]], libvirt, VirtualBox or VMWare.
First, install a minimal system. For Ubuntu, I recommend using the Server CD, and install only the SSH Task. This installer is very similar to the Debian installation media, as both use the software [[d-i||http://wiki.debian.org/DebianInstaller]]. This installer comes with extensive documentation here: http://www.debian.org/releases/testing/amd64/
For both, Debian and Ubuntu, I recommend installing in "expert mode", which can be selected at the boot prompt.
==== Installing LXC ====
Ubuntu (I guess the same is true for debian) offers convenient means to create Debian and Ubuntu based LXC containers. Inside the container the network, filesystem, and processes are isolated, but disk space, disk i/o and cpu time is shared. It is also very lightweight as no extra kernel is involved. For details, see https://help.ubuntu.com/lts/serverguide/lxc.html.
I recommend running the root filesystem on ''btrfs'', lxc-create will automatically detect this and create subvolumes as appropriate.
Steps to create a container suitable for package building:
SUITE=wheezy lxc-create -t debian-build
ln -s /var/lib/lxc/debian-build/config /etc/lxc/auto/debian-build.conf
Ubuntu confines the container with app-armor in order to limit the capability and permissions of processes inside the container, and thus, to limit the security risks of untrusted code "breaking out" of the container. Unfortunately, some of those measures break schroot. To fix this there are two options:
- Run the container in with the unconfined profile
- Create and use the following profile:
# /etc/apparmor.d/lxc/lxc-schroot
#
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-schroot flags=(attach_disconnected,mediate_deleted) {
#include
#include
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount options in (ro,rw,bind,nosuid,noexec,remount) /**/ -> /var/lib/schroot/**/,
mount fstype=proc,
mount fstype=sysfs,
}
Unfortunately, this is not enough. The default lxc configuration limits the use of ''mknod'', so further tweaks to the lxc container configuration are necessary. Here is my configuration for reference:
# Template used to create this container: debian
# Template script checksum (SHA-1): 33e3fc0cb7e2809453c36e81fe0fe4aa5542c208
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.ipv4 = 10.0.3.200
lxc.rootfs = /var/lib/lxc/debian-build/rootfs
lxc.tty = 4
lxc.pts = 1024
lxc.utsname = debian-build
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
lxc.aa_profile = lxc-container-schroot
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
# found on http://wiki.progress-linux.org/software/lxc/
# Allow to mknod all devices (but not using them)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# mounts point
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults 0 0
==== Preparing the environment ====
Install packages that are relevant for packaging. Note that I prefer [[http://www.debian.org/doc/manuals/developers-reference/tools.html#sbuild|''sbuild'']] over ''pbuilder'' for two reasons: First, this is the software that runs on the official buildds in both Debian and Ubuntu. Second, the packaged version extensively uses ''schroot'' for chroot management, which makes it very easy to setup and maintain separate build environments (such as ''squeeze + squeeze-backports'' or ''quantal + some-extra-ppa'').
The following command gets you started:
sudo apt-get install packaging-dev pbuilder- sbuild ubuntu-dev-tools
The ''ubuntu-dev-tools'' package is available in all relevant versions of Ubuntu, and in Debian since ''debian/wheezy''
==== Setup the build chroot and keeping it up-to-date ====
This step needs to be repeated for every build environment you want to use:
mk-sbuild --eatmydata unstable
Replace ''unstable'' with the distribution you want to base this on. On Intel 64bit installations, this will create ''unstable-amd64'' as ''schroot'' managed "chroot". Adjust to your environment as necessary.
Note that in this setup, your user needs to be in the group ''sbuild''. The [[man>mk-sbuild]] tool takes care about that, that is, it adds your user to the group via [[man>adduser]], and asks you to relogin.
Now enter the chroot and edit the package sources in ''/etc/apt/sources.list'' and ''/etc/apt/sources.list.d/*.list'':
sudo schroot -c source:unstable-amd64 -u root
sensible-editor /etc/apt/sources.list
To install the latest update in that environment, use:
sudo schroot-update -ud unstable-amd64
This runs unattendedly and could also be run via cron.
==== Building a package ====
To build a package, use:
sbuild -A -d unstable hello.dsc